The permissions on this repository are being updated. This may take a while.
During this time, you or some of the project's contributors may not be able
to push to this repository.
189ccc3Verify that mount didn't fail, fix CVE-2017-7496
Authored and Committed by Michael Scherer
6 years ago
Verify that mount didn't fail, fix CVE-2017-7496
Since /tmp is world writable, and we do not verify the return code
of mount (or mkdir), a local attacker could precreate /tmp/boot
and /tmp/root directories in a way that mount fail, and later
add symlink to fool the script. For example /tmp/root/etc/ pointing to
/etc , which in turn will make this sed call
sed -i 's/root:x:/root::/' /tmp/root/etc/passwd
modify the real /etc/password file (since the tool is running
as root, SELinux policies are most likely bypasswed, and the symlink
protection in /tmp wouldn't be applicable if the symlink is directory).
Thanks to Adam Mariš from Red Hat Product Security for helping me
verify the attack vector.